CVE-2026-2004
Modified
Modified - Updated After Analysis
Arbitrary Code Execution via Input Validation Flaw in PostgreSQL intarray
Vulnerability report for CVE-2026-2004, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.
Publication date: 2026-02-12
Last updated on: 2026-06-30
Assigner: PostgreSQL
Description
Description
Missing validation of type of input in PostgreSQL intarray extension selectivity estimator function allows an object creator to execute arbitrary code as the operating system user running the database. Versions before PostgreSQL 18.2, 17.8, 16.12, 15.16, and 14.21 are affected.
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| postgresql | postgresql | From 18.0 (inc) to 18.2 (exc) |
| postgresql | postgresql | From 14.0 (inc) to 14.21 (exc) |
| postgresql | postgresql | From 15.0 (inc) to 15.16 (exc) |
| postgresql | postgresql | From 16.0 (inc) to 16.12 (exc) |
| postgresql | postgresql | From 17.0 (inc) to 17.8 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-1287 | The product receives input that is expected to be of a certain type, but it does not validate or incorrectly validates that the input is actually of the expected type. |